CVE-2024-48949Improper Verification of Cryptographic Signature in Elliptic

CWE-347Improper Verification of Cryptographic Signature9 documents7 sources
Severity
9.1CRITICALNVD
EPSS
0.3%
top 47.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Indutny EllipticDebian Node-ellipticMsrc Cbl2 Reaper 3.1.1-13 ON CBL Mariner 2.0+3 more
Timeline
PublishedOct 10
Latest updateNov 18

Description

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages7 packages

debiandebian/node-elliptic< node-elliptic 6.5.7+dfsg-1 (forky)
NVDindutny/elliptic< 6.5.6
npmindutny/elliptic< 6.5.6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Elliptic's verify function omits uniqueness validation2024-10-10
OSV
Elliptic's verify function omits uniqueness validation2024-10-10
OSV
CVE-2024-48949: The verify function in lib/elliptic/eddsa/index2024-10-10

📋Vendor Advisories

3
Red Hat
elliptic: Missing Validation in Elliptic's EDDSA Signature Verification2024-10-10
Microsoft
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.2024-10-08
Debian
CVE-2024-48949: node-elliptic - The verify function in lib/elliptic/eddsa/index.js in the Elliptic package befor...2024

🕵️Threat Intelligence

2
Trailofbits
We found cryptography bugs in the elliptic library using Wycheproof2025-11-18
Trailofbits
We found cryptography bugs in the elliptic library using Wycheproof2025-11-18
CVE-2024-48949 — Indutny Elliptic vulnerability | cvebase